[10289] in Security FYI
[IS&T Security-FYI] TA16-336A: Avalanche (crimeware-as-a-service
daemon@ATHENA.MIT.EDU (=?US-ASCII?Q?US-CERT?=)
Sat Dec 3 20:11:06 2016
MIME-Version: 1.0
Message-ID: <17112109.205659@ncas.us-cert.gov>
Date: Thu, 01 Dec 2016 12:16:47 -0600
To: security-fyi@mit.edu
From: "=?US-ASCII?Q?US-CERT?=" <US-CERT@ncas.us-cert.gov>
Reply-To: US-CERT@ncas.us-cert.gov
Content-Type: multipart/mixed; boundary="===============8215470305351142293=="
Errors-To: ist-security-fyi-bounces@mit.edu
--===============8215470305351142293==
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative;
boundary="----=_NextPart_6EF_E6D8_7DBC377B.640CF7C0"
------=_NextPart_6EF_E6D8_7DBC377B.640CF7C0
Content-Type: text/plain;
charset="Cp1252"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
U.S. Department of Homeland Security US-CERT
National Cyber Awareness System:
=A0
TA16-336A: Avalanche (crimeware-as-a-service infrastructure) [ https://ww=
w.us-cert.gov/ncas/alerts/TA16-336A ] 12/01/2016 12:00 AM EST=20
Original release date: December 01, 2016
Systems Affected
Microsoft Windows
Overview
=93Avalanche=94 refers to a large global network hosting infrastructure u=
sed by cyber criminals to conduct phishing and malware distribution campa=
igns and money mule schemes. The United States Department of Homeland Sec=
urity (DHS), in collaboration with the Federal Bureau of Investigation (F=
BI), is releasing this Technical Alert to provide further information abo=
ut Avalanche.
Description
Cyber criminals utilized Avalanche botnet infrastructure to host and dist=
ribute a variety of malware variants to victims, including the targeting =
of over 40 major financial institutions. Victims may have had their sensi=
tive personal information stolen (e.g., user account credentials). Victim=
s=92 compromised systems may also have been used to conduct other malicio=
us activity, such as launching denial-of-service (DoS) attacks or distrib=
uting malware variants to other victims=92 computers.
In addition, Avalanche infrastructure was used to run money mule schemes =
where criminals recruited people to commit fraud involving transporting a=
nd laundering stolen money or merchandise.
Avalanche used fast-flux DNS, a technique to hide the criminal servers, b=
ehind a constantly changing network of compromised systems acting as prox=
ies.
The following malware families were hosted on the infrastructure:
* Windows-encryption Trojan horse (WVT) (aka Matsnu, Injector,Rannoh,Ra=
nsomlock.P)=20
* URLzone (aka Bebloh)=20
* Citadel=20
* VM-ZeuS (aka KINS)=20
* Bugat (aka Feodo, Geodo, Cridex, Dridex, Emotet)=20
* newGOZ (aka GameOverZeuS)=20
* Tinba (aka TinyBanker)=20
* Nymaim/GozNym=20
* Vawtrak (aka Neverquest)=20
* Marcher=20
* Pandabanker=20
* Ranbyus=20
* Smart App=20
* TeslaCrypt=20
* Trusteer App=20
* Xswkit=20
Avalanche was also used as a fast flux botnet which provides communicatio=
n infrastructure for other botnets, including the following:=A0=A0=A0=A0=A0=
=A0=A0=A0
* TeslaCrypt=20
* Nymaim=20
* Corebot=20
* GetTiny=20
* Matsnu=20
* Rovnix=20
* Urlzone=20
* QakBot (aka Qbot, PinkSlip Bot)=20
Impact
A system infected with Avalanche-associated malware may be subject to mal=
icious activity including the theft of user credentials and other sensiti=
ve data, such as banking and credit card information. Some of the malware=
had the capability to encrypt user files and demand a ransom be paid by =
the victim to regain access to those files. In addition, the malware may =
have allowed criminals unauthorized remote access to the infected compute=
r. Infected systems could have been used to conduct distributed denial-of=
-service (DDoS) attacks.
Solution
Users are advised to take the following actions to remediate malware infe=
ctions associated with Avalanche:
* "Use and maintain anti-virus software" =96 Anti-virus software recogn=
izes and protects your computer against most known viruses. Even though p=
arts of Avalanche are designed to evade detection, security companies are=
continuously updating their software to counter these advanced threats. =
Therefore, it is important to keep your anti-virus software up-to-date. I=
f you suspect you may be a victim of an Avalanche malware, update your an=
ti-virus software definitions and run a full-system scan. (See Understand=
ing Anti-Virus Software [ http://www.us-cert.gov/ncas/tips/ST04-005 ] for=
more information.)=20
* "Avoid clicking links in email" =96 Attackers have become very skille=
d at making phishing emails look legitimate. Users should ensure the link=
is legitimate by typing the link into a new browser (see Avoiding Social=
Engineering and Phishing Attacks [ https://www.us-cert.gov/ncas/tips/ST0=
4-014 ] for more information).=20
* "Change your passwords =96" Your original passwords may have been com=
promised during the infection, so you should change them. (See Choosing a=
nd Protecting Passwords [ http://www.us-cert.gov/ncas/tips/ST04-002 ] for=
more information.)=20
* "Keep your operating system and application software up-to-date =96" =
Install software patches so that attackers cannot take advantage of known=
problems or vulnerabilities. You should enable automatic updates of the =
operating system if this option is available. (See Understanding Patches =
[ http://www.us-cert.gov/ncas/tips/ST04-006 ] for more information.)=20
* "Use anti-malware tools =96" Using a legitimate program that identifi=
es and removes malware can help eliminate an infection. Users can conside=
r employing a remediation tool. A non-exhaustive list of examples is prov=
ided below. The U.S. Government does not endorse or support any particula=
r product or vendor.=20
=A0=A0=A0=A0=A0=A0=A0=A0=A0 *ESET Online Scanner*
=A0=A0=A0=A0=A0=A0=A0=A0=A0 https://www.eset.com/us/online-scanner/ [ htt=
ps://www.eset.com/us/online-scanner/ ]=A0=A0
=A0=A0=A0=A0=A0=A0=A0=A0=A0 *F-Secure*
=A0=A0=A0=A0=A0=A0=A0=A0=A0 https://www.f-secure.com/en/web/home_global/o=
nline-scanner [ https://www.f-secure.com/en/web/home_global/online-scanne=
r ]
=A0=A0=A0=A0=A0=A0=A0=A0=A0 *McAfee Stinger*
=A0=A0=A0=A0=A0=A0=A0=A0=A0 http://www.mcafee.com/us/downloads/free-tools=
/index.aspx [ http://www.mcafee.com/us/downloads/free-tools/index.aspx ]
=A0=A0=A0=A0=A0=A0=A0=A0=A0 *Microsoft Safety Scanner*
=A0=A0=A0=A0=A0=A0=A0=A0=A0 https://www.microsoft.com/security/scanner/en=
-us/default.aspx [ https://www.microsoft.com/security/scanner/en-us/defau=
lt.aspx ]
=A0=A0=A0=A0=A0=A0=A0=A0=A0 *Norton Power Eraser*
=A0=A0=A0=A0=A0=A0=A0=A0=A0 https://norton.com/npe [ https://norton.com/n=
pe ]
References
* https://www.us-cert.gov/sites/default/files/publications/money_mules.=
pdf=20
* http://www.bankinfosecurity.com/avalanche-group-linked-to-fraud-a-257=
3=20
Revision History
* December 1, 2016: Initial release=20
________________________________________________________________________
This product is provided subject to this Notification [ http://www.us-cer=
t.gov/privacy/notification ] and this Privacy & Use [ http://www.us-cert.=
gov/privacy/ ] policy.
________________________________________________________________________
A copy of this publication is available at www.us-cert.gov [ https://www.=
us-cert.gov ]. If you need help or have questions, please send an email t=
o info@us-cert.gov. Do not reply to this message since this email was sen=
t from a notification-only address that is not monitored. To ensure you r=
eceive future US-CERT products, please add US-CERT@ncas.us-cert.gov to yo=
ur address book.=20
OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Secu=
rity Publications [ http://www.us-cert.gov/security-publications ] | Aler=
ts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ http://=
www.us-cert.gov/related-resources ] =20
STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com=
/accounts/USDHSUSCERT/subscriber/new ]=20
SUBSCRIBER SERVICES:
Manage Preferences [ http://public.govdelivery.com/accounts/USDHSUSCERT/s=
ubscribers/new?preferences=3Dtrue ]=A0=A0|=A0=A0Unsubscribe [ https://pub=
lic.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe=
?verification=3D5.9062406af11ab92e0773b7d8b9459e07&destination=3Dsecurity=
-fyi%40mit.edu ]=A0=A0|=A0=A0Help [ https://subscriberhelp.govdelivery.co=
m/ ]
________________________________________________________________________
This email was sent to security-fyi@mit.edu using GovDelivery, on behalf =
of: United States Computer Emergency Readiness Team (US-CERT) =B7 245 Mur=
ray Lane SW Bldg 410 =B7 Washington, DC 20598 =B7=A0(888) 282-0870 Power=
ed by GovDelivery [ http://www.govdelivery.com/portals/powered-by ]
=0A
------=_NextPart_6EF_E6D8_7DBC377B.640CF7C0
Content-Type: text/html;
charset="Cp1252"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns=3D"http://www.w3.org/1999/xhtml" xml:lang=3D"en" lang=3D"en">=
<head>
<title> TA16-336A: Avalanche (crimeware-as-a-service infrastructure)
</title>
</head>
<body style=3D"">
<table width=3D"700" border=3D"0" cellspacing=3D"0" cellpadding=3D"=
0" align=3D"center">
<tr>
<td>
=20
<p><img src=3D"http://content.govdelivery.com/attachments/fancy_images/=
USDHSUSCERT/2015/11/675988/us-cert-banner-700x100-2_original.png" alt=3D"=
U.S. Department of Homeland Security US-CERT" title=3D"US-CERT" width=3D"=
700" height=3D"100"></p>
<p>National Cyber Awareness System:</p>
<p>=A0</p>
<div class=3D"rss_item" style=3D"margin-bottom: 2em;">
<div class=3D"rss_title" style=3D"font-weight: bold; font-size: 120%; mar=
gin: 0 0 0.3em; padding: 0;"><a href=3D"https://www.us-cert.gov/ncas/aler=
ts/TA16-336A">TA16-336A: Avalanche (crimeware-as-a-service infrastructure=
)</a></div>
<div class=3D"rss_pub_date" style=3D"font-size: 90%; font-style: italic; =
color: #666666; margin: 0 0 0.3em; padding: 0;">12/01/2016 12:00 AM EST</=
div>
<br>
<div class=3D"rss_description" style=3D"margin: 0 0 0.3em; padding: 0;">O=
riginal release date: December 01, 2016<br>
<h3>Systems Affected</h3>
<p>Microsoft Windows</p>
<h3>Overview</h3>
<p>=93Avalanche=94 refers to a large global network hosting infrastructur=
e used by cyber criminals to conduct phishing and malware distribution ca=
mpaigns and money mule schemes. The United States Department of Homeland =
Security (DHS), in collaboration with the Federal Bureau of Investigation=
(FBI), is releasing this Technical Alert to provide further information =
about Avalanche.</p>
<h3>Description</h3>
<p>Cyber criminals utilized Avalanche botnet infrastructure to host and d=
istribute a variety of malware variants to victims, including the targeti=
ng of over 40 major financial institutions. Victims may have had their se=
nsitive personal information stolen (e.g., user account credentials). Vic=
tims=92 compromised systems may also have been used to conduct other mali=
cious activity, such as launching denial-of-service (DoS) attacks or dist=
ributing malware variants to other victims=92 computers.</p>
<p>In addition, Avalanche infrastructure was used to run money mule schem=
es where criminals recruited people to commit fraud involving transportin=
g and laundering stolen money or merchandise.</p>
<p>Avalanche used fast-flux DNS, a technique to hide the criminal servers=
, behind a constantly changing network of compromised systems acting as p=
roxies.</p>
<p>The following malware families were hosted on the infrastructure:</p>
<ul>
<li>Windows-encryption Trojan horse (WVT) (aka Matsnu, Injector,Rannoh,Ra=
nsomlock.P)</li>
<li>URLzone (aka Bebloh)</li>
<li>Citadel</li>
<li>VM-ZeuS (aka KINS)</li>
<li>Bugat (aka Feodo, Geodo, Cridex, Dridex, Emotet)</li>
<li>newGOZ (aka GameOverZeuS)</li>
<li>Tinba (aka TinyBanker)</li>
<li>Nymaim/GozNym</li>
<li>Vawtrak (aka Neverquest)</li>
<li>Marcher</li>
<li>Pandabanker</li>
<li>Ranbyus</li>
<li>Smart App</li>
<li>TeslaCrypt</li>
<li>Trusteer App</li>
<li>Xswkit</li>
</ul>
<p>Avalanche was also used as a fast flux botnet which provides communica=
tion infrastructure for other botnets, including the following:=A0=A0=A0=A0=
=A0=A0=A0=A0</p>
<ul>
<li>TeslaCrypt</li>
<li>Nymaim</li>
<li>Corebot</li>
<li>GetTiny</li>
<li>Matsnu</li>
<li>Rovnix</li>
<li>Urlzone</li>
<li>QakBot (aka Qbot, PinkSlip Bot)</li>
</ul>
<h3>Impact</h3>
<p>A system infected with Avalanche-associated malware may be subject to =
malicious activity including the theft of user credentials and other sens=
itive data, such as banking and credit card information. Some of the malw=
are had the capability to encrypt user files and demand a ransom be paid =
by the victim to regain access to those files. In addition, the malware m=
ay have allowed criminals unauthorized remote access to the infected comp=
uter. Infected systems could have been used to conduct distributed denial=
-of-service (DDoS) attacks.</p>
<h3>Solution</h3>
<p>Users are advised to take the following actions to remediate malware i=
nfections associated with Avalanche:</p>
<ul>
<li>
<em>Use and maintain anti-virus software</em> =96 Anti-virus software rec=
ognizes and protects your computer against most known viruses. Even thoug=
h parts of Avalanche are designed to evade detection, security companies =
are continuously updating their software to counter these advanced threat=
s. Therefore, it is important to keep your anti-virus software up-to-date=
. If you suspect you may be a victim of an Avalanche malware, update your=
anti-virus software definitions and run a full-system scan. (See <a href=
=3D"http://www.us-cert.gov/ncas/tips/ST04-005">Understanding Anti-Virus S=
oftware</a> for more information.)</li>
<li>
<em>Avoid clicking links in email</em> =96 Attackers have become very ski=
lled at making phishing emails look legitimate. Users should ensure the l=
ink is legitimate by typing the link into a new browser (see <a href=3D"h=
ttps://www.us-cert.gov/ncas/tips/ST04-014">Avoiding Social Engineering an=
d Phishing Attacks</a> for more information).</li>
<li>
<em>Change your passwords =96</em> Your original passwords may have been =
compromised during the infection, so you should change them. (See <a href=
=3D"http://www.us-cert.gov/ncas/tips/ST04-002">Choosing and Protecting Pa=
sswords</a> for more information.)</li>
<li>
<em>Keep your operating system and application software up-to-date =96</e=
m> Install software patches so that attackers cannot take advantage of kn=
own problems or vulnerabilities. You should enable automatic updates of t=
he operating system if this option is available. (See <a href=3D"http://w=
ww.us-cert.gov/ncas/tips/ST04-006">Understanding Patches</a> for more inf=
ormation.)</li>
<li>
<em>Use anti-malware tools =96</em> Using a legitimate program that ident=
ifies and removes malware can help eliminate an infection. Users can cons=
ider employing a remediation tool. A non-exhaustive list of examples is p=
rovided below. The U.S. Government does not endorse or support any partic=
ular product or vendor.</li>
</ul>
<p>=A0=A0=A0=A0=A0=A0=A0=A0=A0 <strong>ESET Online Scanner</strong></p>
<p><a href=3D"https://www.eset.com/us/online-scanner/">=A0=A0=A0=A0=A0=A0=
=A0=A0=A0 https://www.eset.com/us/online-scanner/</a>=A0=A0</p>
<p>=A0=A0=A0=A0=A0=A0=A0=A0=A0 <strong>F-Secure</strong></p>
<p><a href=3D"https://www.f-secure.com/en/web/home_global/online-scanner"=
>=A0=A0=A0=A0=A0=A0=A0=A0=A0 https://www.f-secure.com/en/web/home_global/=
online-scanner</a></p>
<p>=A0=A0=A0=A0=A0=A0=A0=A0=A0 <strong>McAfee Stinger</strong></p>
<p><a href=3D"http://www.mcafee.com/us/downloads/free-tools/index.aspx">=A0=
=A0=A0=A0=A0=A0=A0=A0=A0 http://www.mcafee.com/us/downloads/free-tools/in=
dex.aspx</a></p>
<p>=A0=A0=A0=A0=A0=A0=A0=A0=A0 <strong>Microsoft Safety Scanner</strong><=
/p>
<p><a href=3D"https://www.microsoft.com/security/scanner/en-us/default.as=
px">=A0=A0=A0=A0=A0=A0=A0=A0=A0 https://www.microsoft.com/security/scanne=
r/en-us/default.aspx</a></p>
<p>=A0=A0=A0=A0=A0=A0=A0=A0=A0 <strong>Norton Power Eraser</strong></p>
<p><a href=3D"https://norton.com/npe" target=3D"_blank">=A0=A0=A0=A0=A0=A0=
=A0=A0=A0 https://norton.com/npe</a></p>
<h3>References</h3>
<ul>
<li><a href=3D"https://www.us-cert.gov/sites/default/files/publications/m=
oney_mules.pdf">https://www.us-cert.gov/sites/default/files/publications/=
money_mules.pdf</a></li>
<li><a href=3D"http://www.bankinfosecurity.com/avalanche-group-linked-to-=
fraud-a-2573">http://www.bankinfosecurity.com/avalanche-group-linked-to-f=
raud-a-2573</a></li>
</ul>
<h3>Revision History</h3>
<ul>
<li>December 1, 2016: Initial release</li>
</ul>
<hr>
<p>This product is provided subject to this <a href=3D"http://www.us-cert=
.gov/privacy/notification">Notification</a> and this <a href=3D"http://ww=
w.us-cert.gov/privacy/">Privacy & Use</a> policy.</p>
</div>
</div>
=20
<div id=3D"mail_footer">
<hr>
<table style=3D"width: 100%;" border=3D"0" cellspacing=3D"0" cellpadding=3D=
"0">
<tbody>
<tr>
<td style=3D"color: #757575; font-size: 10px; font-family: Arial;" width=3D=
"89%" height=3D"60">A copy of this publication is available at <a href=3D=
"https://www.us-cert.gov" title=3D"US-CERT">www.us-cert.gov</a>. If you n=
eed help or have questions, please send an email to <a href=3D"mailto:inf=
o@us-cert.gov" title=3D"Mail to info@us-cert.gov">info@us-cert.gov</a>. D=
o not reply to this message since this email was sent from a notification=
-only address that is not monitored. To ensure you receive future US-CERT=
products, please add US-CERT@ncas.us-cert.gov to your address book.</td>=
</tr>
</tbody>
</table>
<table style=3D"width: 400px;" border=3D"0" cellspacing=3D"0" cellpadding=
=3D"0">
<tbody>
<tr>
<td style=3D"color: #666666; font-family: Arial, sans-serif; font-size: 1=
2px;" valign=3D"bottom" height=3D"24">OTHER RESOURCES:</td>
</tr>
<tr>
<td style=3D"color: #666666; font-family: Arial, sans-serif; font-size: 1=
2px;" valign=3D"middle" height=3D"24">
<a href=3D"http://www.us-cert.gov/contact-us/" target=3D"_blank">Contact =
Us</a> | <a href=3D"http://www.us-cert.gov/security-publications" target=3D=
"_blank">Security Publications</a> | <a href=3D"http://www.us-cert.gov/nc=
as" target=3D"_blank">Alerts and Tips</a> | <a href=3D"http://www.us-cert=
.gov/related-resources" target=3D"_blank">Related Resources</a>
</td>
</tr>
</tbody>
</table>
<table style=3D"width: 150px;" border=3D"0" cellspacing=3D"0" cellpadding=
=3D"0">
<tbody>
<tr>
<td style=3D"color: #666666; font-family: Arial, sans-serif; font-size: 1=
2px;" colspan=3D"7" valign=3D"bottom" height=3D"24">STAY CONNECTED:</td>
</tr>
<tr>
<td width=3D"41"><a href=3D"http://public.govdelivery.com/accounts/USDHSU=
SCERT/subscriber/new"><img src=3D"https://service.govdelivery.com/banners=
/GOVDELIVERY/SOCIAL_MEDIA/envelope.gif" border=3D"0" alt=3D"Sign up for e=
mail updates" width=3D"25" height=3D"25"></a></td>
</tr>
</tbody>
</table>
<p style=3D"color: #666666; font-family: Arial, sans-serif; font-size: 12=
px;">SUBSCRIBER SERVICES:<br><a href=3D"http://public.govdelivery.com/acc=
ounts/USDHSUSCERT/subscribers/new?preferences=3Dtrue" target=3D"_blank">M=
anage Preferences</a>=A0=A0|=A0=A0<a href=3D"https://public.govdelivery.c=
om/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=3D5=
.9062406af11ab92e0773b7d8b9459e07&destination=3Dsecurity-fyi%40mit.ed=
u" target=3D"_blank">Unsubscribe</a>=A0=A0|=A0=A0<a href=3D"https://subsc=
riberhelp.govdelivery.com/">Help</a></p>
</div>
<div id=3D"tagline">
<hr>
<table style=3D"width: 100%;" border=3D"0" cellspacing=3D"0" cellpadding=3D=
"0">
<tbody>
<tr>
<td style=3D"color: #757575; font-size: 10px; font-family: Arial;" width=3D=
"89%">This email was sent to security-fyi@mit.edu using GovDelivery, on b=
ehalf of: United States Computer Emergency Readiness Team (US-CERT) =B7 2=
45 Murray Lane SW Bldg 410 =B7 Washington, DC 20598 =B7=A0<span>(888) 282=
-0870</span>
</td>
<td align=3D"right" width=3D"11%"><a href=3D"http://www.govdelivery.com/p=
ortals/powered-by" target=3D"_blank"><img src=3D"https://service.govdeliv=
ery.com/banners/GOVDELIVERY/logo_gd_poweredby.gif" border=3D"0" alt=3D"Po=
wered by GovDelivery" width=3D"115" height=3D"35"></a></td>
</tr>
</tbody>
</table>
</div>
</td>
</tr>
</table>
</body>
</html>
=0A
------=_NextPart_6EF_E6D8_7DBC377B.640CF7C0--
--===============8215470305351142293==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============8215470305351142293==--
